Method and system for GSM billing during WLAN roaming

ABSTRACT

The invention relates to a method and system for recording and billing of services during roaming of a mobile IP node ( 20 ) in heterogeneous WLANs, in which first call detail records are transmitted from an access server ( 23/1001 ) to a billing module ( 1003 ) and second call detail records from the access server to a proxy module ( 1002 ). By means of a clearing module ( 1004 ), the obtained service is billed ( 1016 ) at a provider ( 1008 ) of a fixed network ( 1007 ) and/or TAP files ( 1017 ) are transmitted to a GSM ( 1005 ) service provider ( 1006 ) for billing.

The invention presented here relates to a method and system for seamlessroaming in heterogeneous WLANs in which, for billing and accounting, amobile IP node requests access to the WLAN through an access server viaa wireless interface within the basic service area of a WLAN, wherebythe basic service area of the WLAN includes of one or more access pointsassigned to the access server, and whereby the mobile IP node isauthenticated by means of an IMSI stored on the SIM card of the IP-Node.Most especially the invention relates to a method for mobile nodes inheterogeneous WLANs.

In the last years the worldwide number of Internet users, and therebythe amount of information being offered there, has increasedexponentially. However, even though the Internet offers worldwide accessto information, the user does not normally have access to it untilhe/she has arrived at a certain network access point such as, forexample, at the office, at school, at the university or at home. Thegrowing availability of IP-capable mobile units such as for examplePDAs, cellular phones and laptops are beginning to change our idea ofthe Internet. An analogous transition from fixed nodes in networks tomore flexible requirements based on higher mobility has just begun. Inmobile telephone use, for example, this tendency has shown itself, amongother things, in new standards such as WAP, GPRS or UMTS. To be able tobetter understand the difference between the present reality and the IPconnection possibilities of the future, one can take as a comparison thedevelopment of telephony during the last twenty years in the directionof mobility. The demand in the private as well as in the business sectorfor a worldwide independent wireless access to LANs (e.g. in airports,cities, etc., etc.) using laptops, PDAs etc. is enormous. However theWLANs based, for example, on IP today do not offer the service, such asprovided e.g. with GSM/GPRS, which would permit free roaming of theuser. These services should also, apart from security mechanisms such asin GSM/GPRS, include facilities for service authentication and forbilling, i.e. inclusion of billing for the service provided, etc. On theother hand, such a service is also not being offered by existingGSM/GPRS operators. It is not only the roaming between different WLANsthat is important. Through the enormous growth in information technologywith WLANs (with Internet access, etc.) and also the great growth inmobile telephone usage, it is useful to combine both these worlds. Onlythe combination of both these worlds makes possible easy and automaticroaming for wireless LANs, as the user of mobile telephone technology isaccustomed to. Thus there exists the demand for service providersenabling standard-spanning roaming between different WLAN serviceproviders and between WLAN service providers and GSM/GPRS serviceproviders.

Computer networks or local area networks (LANs) consist normally ofso-called nodes, which are connected via physical mediums such ascoaxial cables, twisted pair cables or optical fiber cables. These LANsare also known as wired LANs (wired fixed networks). During the lastyears also cable-free LANs or so-called wireless LANs have becomeincreasingly popular (e.g. through developments such as theAirPort-System by Apple Computer, Inc., etc.). Wireless LANs areespecially suitable for linking mobile units (nodes), such as e.g.laptops, notebooks, PDAs (Personal Digital Assistant) or mobile radiodevices, in particular mobile radio telephones, using an appropriateinterface, in a local computer network. The mobile nodes are equippedwith an adaptor including a transmitter/receiver as well as a controllercard (such as e.g. an infrared (IR) adapter or a low frequency radiowave adapter). The advantage of such mobile nodes is that they can bemoved freely within the range of the wireless LAN. The mobile nodeseither communicate directly with each other (peer-to-peer wireless LAN),or send their signal to a base station which amplifies the signal and/orpasses it on. The base stations may also incorporate bridge functions.Via such base stations with bridge functions, the so-called AccessPoints (APs), the mobile nodes of the wireless LAN can gain access to awired LAN. Typical network functions of an access point include thetransmission of messages from one mobile node to another, thetransmission of messages from a wired LAN to a mobile node and thetransmission of messages from a mobile node to a wired LAN.

The physical range of an AP is called the Basic Service Area (BSA). If amobile node is located within the BSA of an AP it can communicate withthis AP, providing the AP is also within the signal range (DynamicService Area (DSA)) of the mobile node. Normally several APs areassigned to an access server that, among other things, monitors andadministers the authorization of the mobile nodes via a user database.The total area that is covered by the APs of an access server is knownas the so-called hot spot. Mobile nodes are typically provided with asignal strength from 100 mwatts up to one watt. To be able to connectthe wireless LAN to the wired LAN it is important for the AP todetermine if a certain message (information frame) within the network isdestined for a node that is within the wired LAN or within the wirelessLAN, and, if required, to forward this information to the correspondingnode. For this purpose APs are provided with so-called bridge functions,e.g. in accordance with IEEE Standard Std 802.1D-1990 “Media AccessControl Bridge” (31-74 ff). For these bridge functions a new mobile nodein the wireless LAN is typically registered in an FDB (FilteringDatabase) of the AP within whose range the node lies. With eachinformation frame on the LAN the AP compares the target address with theaddresses (MAC Addresses (Media Control Addresses)) which it has storedin its FDB, and transmits, rejects or transfers the frame to the wiredLAN or respectively to the wireless LAN.

With mobile network usage, an existing IP access to the mobile node byapplications should not be interrupted if the user changes his locationwithin the network. On the contrary, all connections and interfacechanges, such as e.g. changes to different hot spots and especiallydifferent networks (Ethernet, mobile radio phone network, WLAN,Bluetooth, etc.), should be able to be performed automatically and notinteractively, so that the user does not even have to be aware of thechange taking place. This also applies, for example, during the use ofreal-time applications. True mobile IP computing exhibits manyadvantages based on a stable access to the Internet at all times. Withsuch an access, work can be organized freely and independently from thedesk. The demands made on mobile nodes in networks distinguishthemselves in various ways from the initially mentioned development inmobile radio technology, however. The end points in the mobile radiosystem are, generally speaking, human beings. In mobile nodes, however,computer applications can perform interactions between other networkparticipants without any human actions or interventions. Extensiveexamples of this can be found in airplanes, ships and automobiles. Thusespecially mobile computing with Internet access can make sense togetherwith other applications such as e.g. in combination with positioningdevices, such as the satellite-based GPS (Global Positioning System).

One of the problems with mobile network access via Internet Protocol(IP) is that the IP protocol, which is used to route the data packets inthe network from the source address to the target address (DestinationAddress), uses so-called IP addresses (IP: Internet Protocol). Theseaddresses are assigned to a fixed location in the network, similar tothe way telephone numbers of fixed networks are assigned to a physicalwall socket. When the destination address of the data packets is amobile node, this means that with each network location change a new IPnetwork address must be assigned, which renders transparent mobileaccess impossible. These problems were solved by the mobile IP standard(IETF RFC 2002, October 1996) of the Internet Engineering Task Force(IETF), in that the mobile IP allows the mobile node to use two IPaddresses. One of them is the normal static IP address (home address),which specifies the location of the home network, while the second is adynamic care-of address, which designates the current location of themobile node within the network. The assignment of the two addressesmakes it possible to reroute the IP data packets to the correct currentaddress of the mobile node.

One of the most frequently used protocols for authentication of a userwithin a wireless LAN is the open source protocol IEEE 802.1x (in thecurrent version 802.11) from the Institute of Electrical and ElectronicsEngineers Standards Association. The IEEE 802.1x authentication permitsauthenticated access to IEEE 802 media such as, for example, Ethernet,Token Ring and/or 802.11 wireless LAN. The 802.11 protocol generates forwireless LAN, i.e. for wireless local networks, a 1 or 2 Mbpstransmission in the 2.4 GHz band, whereby either FHSS (Frequency HoppingSpread Spectrum) or DSSS (Direct Sequence Spread Spectrum) is used. Forauthentication, 802.1x supports authentication EAP (ExtensibleAuthentication Protocol) and TLS (Wireless Transport Layer Security).802.11 also supports RADIUS. Although the RADIUS support is optional in802.1x, it is to be expected that most of the 802.1x authenticators willsupport RADIUS. The IEEE 802.1x protocol is a so-called port-basedauthentication protocol. It can be used in every environment in which aport, i.e. the interface of a unit, can be specified. With theauthentication based on 802.1x, three units can be differentiated. Theunit of the user (supplicant/client), the authenticator and theauthentication server. It is the role of the authenticator toauthenticate the supplicant. Authenticator and supplicant are connected,for example, via a point-to-point LAN segment or a 802.11 wireless LAN.Authenticator and supplicant have a defined port, a so-called PortAccess Entry (PAE), which defines a physical or virtual 802.1x port.

The authentication server generates the authentication services requiredby the authenticator. In this way it verifies the entitlement datasupplied by the supplicant regarding the claimed identity.

The authentication servers are usually based on RADIUS (RemoteAuthentication Dial-In User Service) of the IETF (Internet EngineeringTask Force). The use of the RADIUS authentication protocol andaccounting system is widespread in network units such as, for example,routers, modem servers, switches, etc., and is used by most Internetservice providers (ISPs). If a user dials into an ISP he/she has toenter normally a user name and password. The RADIUS server verifies thisinformation, and authorizes the user for access to the ISP system. Thereason for the widespread use of RADIUS lies among other things in thatnetwork units cannot generally cope with a large number of network userseach with different authentication data, since this would exceed, forexample, the storage capacity of the individual network units. RADIUSpermits the central administration of a multiplicity of network users(addition, deletion of users, etc.). This is therefore a necessaryprerequisite of the ISPs (Internet Service Providers) for their servicebecause their number of users often amounts to several thousand toseveral tens of thousands. RADIUS further generates a certain permanentprotection against hackers. The remote authentication by RADIUS based onTACACS+ (Terminal Access Controller Access Control System+) and LDAP(Lightweight Directory Access Protocol) is relatively secure againsthackers. Many other remote authentication protocols, in contrast, haveonly temporary or insufficient or no protection against hacker attacksat all. Another advantage is that RADIUS is at present the de-factostandard for remote authentication, whereby RADIUS is also supported bynearly all systems, which is not the case for other protocols.

The above-mentioned Extensible Authentication Protocol (EAP) is inreality an extension of the PPP (Point-to-Point Protocol) and is definedby the Request for Comments (RFC) 2284 PPP Extensible AuthenticationProtocol (EAP) of the IETF. By way of PPP a computer can be connected tothe server of an ISP, for example. PPP works in the data link layer ofthe OSI model, and sends the TCP/IP packets of the computer to theserver of the ISP that forms the interface to the Internet. In contrastto the older SLIP protocol (Serial Line Internet Protocol), PPPfunctions more stably and has error correction facilities.

The extensible authentication protocol is a protocol on a very generallevel that supports diverse authentication methods such as, for example,token cards, Kerberos of the Massachusetts Institute of Technology(MIT), strike off passwords, certificates, public key authentication andsmart cards or the so-called Integrated Circuit Cards (ICC). IEEE 802.1xdefines the specifications such as EAP that must be integrated into LANframes. With communication in wireless networks via EAPs, a userrequests from an access point via wireless communication, i.e. aconnection hub for the remote access client or supplicant to the WLAN,access to the wireless LAN. The AP then requests from the supplicant theidentification of the user, and transmits the identification to theabove-mentioned authentication server, that is based, for example, onRADIUS. The authentication server allows the Access Point to recheck theidentification of the user. The AP collects this authentication datafrom the supplicant and transmits these to the authentication serverwhich terminates the authentication method.

With EAP an arbitrary authentication method generates a remote accessconnection. The precise authentication scheme is respectively determinedbetween the supplicant and the authenticator (that means the remoteaccess server, the Internet Authentication Service (IAS) server, orrespectively for WLAN the access point). As mentioned above, EAP therebysupports many different authentication schemes such as, for example,generic Token Card, MD5-Challenge, Transport Level Security (TLS) forsmart cards, S/Key and possible future authentication technologies. EAPpermits an unlimited number of question/answer communications betweenthe supplicant and the authenticator, whereby the authenticator orrespectively the authentication server requests specific authenticationinformation and the supplicant, i.e. the remote access client responds.As an example, via the authenticator, the authentication server canrequest individually from the so-called security token cards a username, then a PIN (Personal Identity Number) and finally a token cardvalue from the supplicant. A further authentication level is therebyperformed for each question/answer cycle. If all authentication levelsare successfully answered, the supplicant is authenticated. A specificEAP authentication scheme is termed an EAP type. Both sides, i.e.supplicant and authenticator, must support the same EAP type so thatauthentication can be carried out. As mentioned, this is determined atthe start between supplicant and authenticator. Authentication serversbased on RADIUS normally support EAP, which offers the possibility ofsending EAP messages to a RADIUS server.

In the state of the art, EAP-based methods for authentication of a userand for allocation of session keys to the user via the GSM SubscriberIdentity Module (SIM) are also known. The GSM authentication is based ona question-answer method, the so-called Challenge-Response Method. As achallenge (question) the authentication algorithm of the SIM card isgiven a 128-bit random number (generally known as a RAND). Then aconfidential algorithm, specific to the respective operator, runs on theSIM card, which algorithm receives as an input the random number RANDand a confidential key Ki, stored on the SIM card, out of which itgenerates a 32 bit response (SRES) and a 64 bit key Kc. Kc is designedfor encoding the data transfer via wireless interfaces (GSM TechnicalSpecification GSM 03.20 (ETS 300 534): “Digital cellulartelecommunication system (Phase 2); Security related network functions”,European Telecommunications Standards Institute, August 1997). Used inthe EAP/SIM authentication are several RAND challenges to generateseveral 64 bit Kc keys. These Kc keys are combined into a longer sessionkey. With EAP/SIM the normal GSM authentication method is extended bymeans of the RAND challenges additionally having a MessageAuthentication Code (MAC), to generate mutual authentication. To performthe GSM authentication the authentication server should have aninterface with the GSM network. The authentication server operatesconsequently as a gateway between the Internet Authentication Service(IAS) server network and the GSM authentication infrastructure. At thestart of the EAP/SIM authentication, with a first EAP request by theauthenticator, the authentication server requests from the supplicant,among other things, the International Mobile Subscriber Identity (IMSI)of the user. With the IMSI the authentication server receives on requestfrom the authentication center (AuC) of the corresponding cellularwireless network operator, normally known in the GSM network as HomeLocation Register (HLR) or respectively Visitor Location Register (VLR),n GSM triplets. From the triplets the authentication server obtains aMessage Identification Code for n* RAND and a lifespan for the key(together MAC_RAND), as well as a session key. With this theauthentication server can perform the GSM authentication on the SIM cardof the supplicant or respectively of the user. Since RAND are providedto the supplicant together with the Message Authentication CodeMAC_Rand, it becomes possible for the supplicant to verify if the RANDsare new and were generated through the GSM network.

Known in the state of the art for the billing of the service obtained bymobile units in GSM networks is the so-called TAP protocol (TAP:Transferred Account Procedure) of the Transferred Account DataInterchange Group (TADIG) of the GSM Association. GSM is based on theconcept of roaming, which permits a user of a mobile radio device to usehis or her mobile radio device in any desired country and network. Thebilling of the service obtained is thereby not at all a trivial matter,however. Worldwide today there are more than 400 GSM networks inoperation, and in addition there exist an estimated more than 20 000individual roaming agreements between the network operators. Thus behindthe seemingly simple idea of roaming there lies an extremely complexprocess of data acquisition, data distribution and data evaluation inorder to make the billing possible. The Transferred Account Procedure(TAP) is a method by which mobile radio network service providersexchange roaming billing information. Following TAP2 and TAP2+, TAP3 waslaunched on the 4^(th) of June 2000. TAP3 can be termed today as thestandard, although TAP is a further developing protocol.

Most of the voice and data traffic in GSM networks comes or ends in anetwork other than that in which the mobile user is located at thepresent time. The operator of a local network charges fees for each callwhich ends at one of his users, regardless of whether a fixed network ora mobile radio network is involved. Therefore the local fixed networkoperators mutually conclude agreements with the local mobile radionetwork operators to simplify the charging of the fees. Thus it is alsonot necessary then for a Swiss mobile radio network operator to concludean agreement with a Canadian fixed network network <sic.> provider inorder to bill for a call of a Swiss mobile radio network user to aCanadian fixed network network <sic.> user. Normally the Swiss fixednetwork provider already has an agreement concluded with the Canadianfixed network provider relating to billing mode and fees, and the Swissmobile radio network operator bills via the Swiss fixed network providerwith a corresponding agreement. The costs are usually charged to theuser either directly (retail billing) or via a service provider(wholesale billing). The mode of billing of roaming data traffic orroaming voice traffic between different mobile radio networks (PMN:Public Mobile Network) takes place by means of the TAP protocol. Roamingcall records are typically created either as TAP or is as CIBER(Cellular Intercarrier Billing Exchange Roamer) records. CIBER recordsare used by mobile radio network operators who work with AMPS-basedtechnologies, such as e.g. AMPS, IS-136 TDMA and IS-95 CDMA. TAP is usedabove all by GSM mobile radio network service providers, and is the mainprotocol for billing in GSM-dominated areas.

Details of a call by a user who is located in a foreign network (VPLMN:Visited Public Land-based Mobile Network) is <sic. are> registered in aMobile Switching Center (MSC) of the network. Each call thus generatesone or more call records. The GSM standard for these records is definedin GSM 12.05, although many providers use their own formats. The callrecords of the MSC are transmitted to a billing system of the VPLMN forbilling. These call records are then converted into TAP format, andassigned to the respective user. Within 36 hours at the latest the TAPrecords are sent to the respective mobile radio network serviceprovider. The TAP files contain in addition information relating to theprovider service tariff (IOT: Inter Operator Tariff) and all furtherbilateral agreements and privilege or discount schemes. The TAP recordsare sent directly, or more commonly via a billing point, such as e.g. aclearing house. If the home network operator (HPMN: Home Public MobileNetwork) receives a TAP record from the VPLMN, this is converted into acorresponding internal format and billed together with the normal callrecords of the user which he has generated in the home network. Withwholesale billing, in which a service provider bills the costs arisingto the user, the HPMN passes the records on to the service provider whocan re-bill the calls, in particular according to own tariffs, and whogenerates the statement of accounts with e.g. call details for the user.

TAP3 supports a multiplicity of services. TAP3 is used today for thebilling between GSM service providers and GSM service providers, GSMservice providers and non-GSM service providers (inter-standardroaming), and GSM service providers and satellite service providers,etc. The three fundamental service categories voice, fax and so-calledsupplementary services have been supported already since TAP1. Thebilling of short message services (SMS), on the other hand, is of a lesstrivial nature owing to the use of Short Message Service Centers (SMS-C)of third parties. The following reasons make difficult the billing ofSMS: 1.) while roaming, a roaming user can receive an SMS (MT-SMS), 2.)while roaming, a roaming user can send an SMS (MO-SMS) in that he usesthe SMS-C of his home network, and 3.) while roaming, a roaming user cansend an SMS (MO-SMS) in that he uses the SMS-C of a foreign network. Thebilling of SMS services is thus completely supported starting withTAP2+. Starting with TAP3, supported furthermore is the billing ofSingle Circuit Switched Data, HSCSD (High Speed Circuit Switched Data)and GPRS (General Packet Radio Service). TAP3 likewise supports allvalue-added services (VAS), such as e.g. the so-called billing forcontent. The billing of value-added services is often difficult,however, since it has as a prerequisite the consent of the serviceprovider to the billed services. Customized Application Mobile EnhancedLogic (CAMEL) is supported starting with TAP 3.4. CAMEL is especiallyimportant for applications with prepaid services for roaming users, andmay gain powerfully in significance in the future. Another importantapplication for TAP3 is the supporting of billing based on InterOperator Tariff (IOT). IOT makes it possible for the home networkservice provider (HPMN) to check special offers and tariffs of a foreignservice provider (VPMN) and to pass them on to the roaming user. Thus,for instance, the VPMN can give privileges or discounts for differentcall services or call levels, and the HPMN can simply verify these andadapt its tariffs. The possibility of billing roaming services,regardless of where the user is located just now, is a valuable tool formobile network service providers, and prevents the loss of receipts,proceeds or resources in the case of interim discounts by a VPMN.Starting with TAP3, the TAP protocol likewise includes detailedinformation about from where a call has been specifically made, orrespectively a service was obtained, etc., and to where it has beendirected. This information helps to create a profile of the respectiveuser based on his behavior, which provides important information foradapting and optimizing the services to the needs of the user. Inparticular it can be used to offer special location-based services, suchas e.g. sports or concert events. Finally, with the Returned AccountsProcedure (RAP) protocol, TAP3 also permits a differentiated errorhandling. Thus with RAP of the HPMN, among other things, detailed TAPfiles can be checked with respect to their validity and conformity withthe TAP standard, and discarded, if necessary, without billings forservices thereby being lost.

The state of the art does have a wide variety of disadvantages, however.It is indeed possible, for example, with an EAP-SIM to use theauthentication method from the GSM networks in the wireless LANtechnology for authentication of supplicants or respectively of remoteaccess clients, provided the user has an IMSI with a GSM provider. It isalso possible in principle, by means of e.g. mobile IP of the IETF(Internet Engineering Task Force), to reroute (route) data streams tothe respective mobile remote access client registered with an accessserver via an access point. By far not all the problems of mobilenetwork usage allowing a really free roaming of the user are therebysolved, however. One of the problems is that in the IP network theprerequisites, required in the GSM standard, with respect to security,billing and service authorization are no longer there. This isintrinsically connected with the open architecture of the IP protocol.That means that in the IP standard a lot of data are missing which areabsolutely necessary for full compatibility with GSM networks. Moreoveran access server based for example on RADIUS supplies a single datastream. This cannot simply be mapped to the multi-part data stream ofthe GSM standard. Another drawback in the state of the art is that todaywireless LANs are based on individual hot spots (i.e. the basic servicearea of the access points of an access server), which are on offer fromvarious software and hardware developers around the world. This makesdifficult the combination of the two worlds since such gateway functionsmust each be adapted individually to the specific solution. Thetechnical specifications for the GSM authentication interface may bereferenced in MAP (Mobile Application Part) GSM 09.02 Phase 1 Version3.10.0.

It is the object of this invention to propose a new method for mobilenodes in heterogeneous WLANs. In particular, it should be made possiblefor the user to move between different hot spots without any difficulty(roaming), without having to bother about registering, billing, serviceauthorization, etc., at the various WLAN service providers, i.e. enjoythe same convenience as he is accustomed to from mobile radio technologysuch as e.g. GSM.

These objects are achieved according to the present invention throughthe elements of the independent claims. Further preferred embodimentsfollow moreover from the dependent claims and from the specification.

These objects are achieved through the invention in particular in thatfor recording and billing of services during roaming of a mobile IP nodein heterogeneous WLANs, the mobile IP node accesses an access point of aWLAN within a basic service area of a WLAN via a wireless interface, andthe basic service area of the WLAN includes one or more access pointsassigned to an access server, with which, upon request from the accessserver, the mobile IP node transmits an IMSI stored on an SIM card ofthe mobile IP node to the access server, and the IMSI of the IP node isstored in a database of an SIM-RADIUS module, whereby, by means of anSIM user database and an SIM gateway module, an <sic. the> SIM-RADIUSmodule supplements user-specifically the logical IP data channel of theWLAN towards corresponding GSM data for signal and data channels of aGSM network, whereby, by means of which supplemented signal and datachannels, an authentication and/or service authorization of the mobileIP node is carried out at an HLR and/or VLR of a GSM network, based onthe IMSI of the SIM card of the mobile node, whereby, by means of abilling gateway interface, a billing module accesses the access server,by means of which billing gateway interface first call detail records ofthe mobile IP node are transmitted from the access server to the billingmodule, and which billing gateway interface includes an assigned billingmanagement database with the configuration profile of each accessserver, second call detail records of the mobile IP node beingtransmitted to a proxy module, which proxy module captures at least theidentity of the mobile IP node and/or duration and/or provider of theobtained service and passes it on to the billing module, and whereby thebilling module generates TAP files corresponding to the obtainedservice, based on the data of the proxy module and the first call detailrecords, and transmits these together with billing instructions to aclearing module, which billing instructions include at leastuser-specific and/or service-provider-specific billing data, and whichclearing module bills the service obtained by the user to a provider ofa fixed network and/or transmits the TAP files for billing to a GSMservice provider. In an embodiment variant, a first call detail recordcan include e.g. only SIM-based authentication information. As anembodiment variant, a second call detail record can be created based atleast on the IP address of the mobile IP node and identifications of theservice providers whose service was obtained by the mobile node. Thebilling management database can include e.g. IP addresses and/or GSMidentification of the user and/or service provider. The first calldetail records of the mobile IP node, which are transmitted from theaccess server to the billing module, can be created, among other things,SIM-based, while the second call detail records, which are transmittedfrom the access server to the proxy module, can be created IP-based,such as e.g. on RADIUS data. This has the advantage, among other things,that a seamless roaming between different and heterogeneous WLANs ispossible. Through the combination of the WLAN technology, especially theIP networks, with the GSM technology, the roaming of the user becomespossible, without his having to bother about registration, billing,service authorization etc. with the different WLAN service providers.This means that the user enjoys the same convenience as he/she isaccustomed to from mobile radio technology such as e.g. GSM. At the sametime it is possible in a completely new way to combine the advantages ofthe open IP world (access to the worldwide Internet etc.) with theadvantages of the GSM standard (security, billing, serviceauthorization, etc.). The invention also makes it possible to create amethod for roaming in WLANs without a corresponding module having to beinstalled in each access server. On the contrary, by using RADIUS theinfrastructure (WLAN/GSM) can be taken over unchanged.

In an embodiment variant, the data stream of the mobile IP node duringaccess to the WLAN from the access point is directed via a mobile radionetwork service provider. This has the advantage, among other things,that the mobile radio network provider has complete control over thedata stream. In this way he can specifically give serviceauthorizations, perform detailed billing, and incorporate securitymechanisms. Among other things, he can thereby combine the open,difficult-to-control IP world, including e.g. the Internet, with theadvantages of the GSM world. This plays a big role, e.g. with respect toliability issues of the provider or service vendor, especially recently.

In another embodiment variant, the TAP files are created based at leaston Inter Operator Tariffs as well as Public Mobile Network TAPidentification codes. In combination therewith or as an independentembodiment variant, it is likewise conceivable, for instance, that thebilling management database includes Inter Operator Tariffs as well asPublic Mobile Network TAP identification codes. This embodiment varianthas the advantage, among other things, that the home network serviceprovider (HPMN) can simply verify the IOT of the foreign network serviceprovider (VPMN) in which the user is located at the present time(roaming). The VPMN can thereby give e.g. discounts for specificconnections, and the HPMN can check that these have been correctlyapplied. Independently of any discount programs or call levels of theVPMN, the HPMN can thereby also simply bill each connection and/or eachcall according to its own tariffs, etc. The possibility of determiningthe prices for services regardless of in which foreign network and/orhome network the user is located just now can be a valuable aid in thebilling of services for an HPMN, with which, for example, the loss ofspecial fee reductions of a VPMN can be avoided. By the same token,certain billing schemes for an HPMN can thereby be achieved in the firstplace, such as e.g. special prices for connections with the home networkand/or homeland of the user or/or <sic. and/or> e.g. calls withincommunities of states, such as Europe, for instance.

It should be stressed here that, in addition to the method according tothe invention, the present invention also relates to a system forcarrying out this method.

Embodiment variants of the present invention will be described in thefollowing with reference to examples. The examples of the embodimentsare illustrated by the following enclosed figures:

FIG. 1 shows a block diagram schematically illustrating a method and asystem according to the invention for authentication of a user duringroaming in heterogeneous WLANs, mobile IP nodes 20 being connected, viaan interface having contacts, to an SIM card 201, and accessing by meansof a wireless connection 48 access points 21/22 of the WLAN. An accessserver 23 of the WLAN authenticates the mobile IP node 20 based on anIMSI stored on the SIM card 201 at an HLR 37 and/or VLR 37 of a GSMmobile radio network.

FIG. 2 shows a block diagram likewise illustrating schematically amethod and system according to the invention for authentication of auser during roaming in heterogeneous WLANs, mobile IP nodes 20 beingconnected to a SIM card 201, via an interface having contacts, andaccessing a WLAN by means of a wireless connection 48. The WLAN isconnected via an access server 23 to a GSM mobile radio network, inparticular to an HLR 37 and/or VLR 37, to a GGSN (Gateway GPRS SupportNode) 50 via a GRX module 51 (GRX: GPRS Roaming exchange), via anInternet service provider 52 and via a clearing system 53 for thebilling of the obtained services.

FIG. 3 shows a block diagram illustrating schematically a method andsystem according to the invention for seamless roaming in heterogeneousWLANs, the open IP world being connected to the more restrictive GSMworld, by means of the method and system according to the invention, viainterfaces for the authentication 371, SS7 372, service authorization531 and billing 532.

FIG. 4 shows a block diagram illustrating schematically the set-up of anIEEE 802.1x port-based authentication method, the supplicant or remoteaccess client 20 being authenticated via an authenticator or remoteaccess server 21 at an authentication server 23, the WLAN being based onIEEE 802.11.

FIG. 5 shows a block diagram illustrating schematically a possibleembodiment variant for SIM authentication by means of ExtensibleAuthentication Protocol (EAP), a GSM-based challenge-response methodbeing used.

FIG. 6 shows a block diagram illustrating schematically the structurefor a recording and billing of services (billing and accounting) in themixed environment of GSM networks 63/64 and/or fixed networks (PSTN)61/62 according to the state of the art. In particular FIG. 6 shows therole of the TAP protocol during GSM billing and accounting betweendifferent network service providers 61/62/63/64.

FIG. 7 shows a block diagram illustrating schematically the structurefor a recording and billing of services (billing and accounting) betweenGSM home network service providers 80 and GSM foreign network serviceproviders 81 according to the state of the art using the TAP protocol.

FIG. 8 shows a block diagram illustrating schematically a method and asystem according to the invention for recording or accounting andbilling of services during roaming of a mobile IP node 20 inheterogeneous WLANs. First call detail records are thereby transmittedfrom an access server 23/1001 to a billing module 1003 and second calldetail records from the access server to a proxy module 1002. By meansof a clearing module 1004 the obtained service is billed 1016 at aprovider 1008 of a fixed network 1007, and/or the TAP files 1017 aretransmitted for billing to a GSM 1005 service provider 1006.

FIG. 1 illustrates an architecture that can be used to achieve theauthentication of the invention. FIG. 1 shows a block diagramillustrating schematically a method and system for authentication of auser during roaming in heterogeneous WLANs. The reference numeral 20 inFIG. 1 pertains to a mobile IP node which has the necessaryinfrastructure including hardware and software components at itsdisposal to achieve a described method and/or system according to theinvention. To be understood by mobile nodes 20 are, among other things,all possible so-called Customer Premise Equipment (CPE) that areprovided for use at various network locations and/or in variousnetworks. These include, for example, all IP-capable devices such ase.g. PDAs, mobile radio telephones and laptops. The mobile CPEs or nodes20 have one or more different physical network interfaces that are alsoable to support a plurality of different network standards. The physicalnetwork interfaces of the mobile nodes can include, for instance,interfaces to WLAN (Wireless Local Area Network), Bluetooth, GSM (GlobalSystem for Mobile Communication), GPRS (Generalized Packet RadioService), USSD (Unstructured Supplementary Services Data), UMTS(Universal Mobile Telecommunications System) and/or Ethernet or anotherWired LAN (Local Area Network) etc. The reference number 48 accordinglystands for the different heterogeneous networks such as, for example, aBluetooth Network, e.g. for installations in roofed-over areas, a mobileradio network with GSM and/or UMTS, etc., a wireless LAN, e.g. based onIEEE wireless 802.1x, but also a wired LAN, i.e. a local fixed networkin particular also the PSTN (Public Switched Telephone Network), etc. Inprinciple it is to be said that the method and/or system according tothe invention is not tied to a specific network standard, provided thatthe features according to the invention are present, but can be achievedwith any LAN. The interfaces 202 of the mobile IP node can not only bepacket-switched interfaces as are used directly by network protocolssuch as e.g. Ethernet or Token Ring, but can also be circuit-switchedinterfaces that can be used with protocols such as PPP (Point to PointProtocol), SLIP (Serial Line Internet Protocol) or GPRS (GeneralizedPacket Radio Service), i.e. those interfaces for example that do nothave a network address such as a MAC or a DLC address. As mentioned inpart before, the communication can, for example, take place over theLAN, for example by means of special short messages, e.g. SMS (ShortMessage Services), EMS (Enhanced Message Services), over a signalingchannel such as e.g. USSD (Unstructured Supplementary Services Data) orother technologies, like MExE (Mobile Execution Environment), GPRS(Generalized Packet Radio Service), WAP (Wireless Application Protocol)or UMTS (Universal Mobile Telecommunications System), or over IEEEwireless 802.1x or via another user information channel. The mobile IPnode 20 can include a mobile IP module and/or an IPsec module. The maintask of the mobile IP consists of authenticating the IP node 20 in theIP network and of correspondingly rerouting the IP packets that have themobile node 20 as the destination address. For further mobile IPspecifications, also see for example IETF (Internet Engineering TaskForce) RFC 2002, IEEE Comm. Vol. 35 No. 5 1997, etc. Mobile IPespecially supports IPv6 and IPv4. The mobile IP capabilities canpreferably be combined with the security mechanisms of an IPsec (IPsecurity protocol) module to guarantee secure mobile data management inthe public Internet. IPsec (IP security protocol) generatesauthentication/confidentiality mechanisms packet-wise or socket-wisebetween network hubs that both utilize IPsec. One of the flexibilitiesof IPsec lies especially in that it can be configured packet-wise aswell as for individual sockets. IPsec supports IPvx, especially IPv6 andIPv4. For detailed IPsec-Specifications refer, for example, to PeteLoshin: IP Security Architecture; Morgan Kaufmann Publishers; November1999 or A Technical Guide to Ipsec; James S et al.; CRC Press, LLC;December 2000, etc. Although IPsec is used in this embodiment example asan example in describing the use of security protocols on the IP level,all other possible security protocols or security mechanisms or even theomission of security protocols are conceivable according to theinvention.

Furthermore, via an interface having contacts, the mobile IP node 20 isconnected to a SIM card 201 (SIM: Subscriber Identity Module), on whichthe IMSI (International Mobile Subscriber Identifier) of a user of GSMnetworks is stored. For authentication the mobile IP node 20 requestsvia a wireless interface 202 within the basic service area of a WLAN atan access point 21/22 access to the WLAN. As already described, thedifferent WLANs of different hot spots can embrace heterogeneous networkstandards and protocols such as, for example, WLAN based on the IEEEwireless 802.1x, Bluetooth etc. The basic service area of the WLANencompasses one or more access points 21/22 assigned to an access server23. The mobile IP node 20 transmits to the access server 23, uponrequest of the access server 23, an IMSI stored on the SIM card 201 ofthe mobile IP node 20. The IMSI of the mobile IP node 20 is stored usinga SIM-RADIUS module 30. Based on the IMSI, the logic IP data channel ofthe WLAN is supplemented user-specifically towards corresponding GSMdata for signal and data channels of a GSM network using informationstored in an SIM user database 34. The GSM system encompasses datachannels, the so-called traffic channels, and control signal channels,the so-called signaling channels. The traffic channels (e.g. TCH/FS,TCH/HS, TCH/F9,6/4.8/2.4 and TCH/H4.8/2.4 etc.) are reserved for userdata, while the signaling channels (e.g. CCCH: Common Control Channels,RACH: Random Access Channels, DCCH: Dedicated Control Channels, CBCH:Cell Broadcast Channel etc.) are used for network management, controlfunctions etc. The logical channels cannot be used over the interfacesimultaneously, but only in certain combinations according to the GSMspecifications. By means of a SIM gateway module 32, to perform theauthentication of the IP node based on the GSM data, the requiredSS7/MAP functions (SS7: Signaling System 7 of the InternationalTelecommunications Union (ITU)/MAP: Mobile Application Part of the GSMstandard) are generated, the SIM-RADIUS module 30 carrying out theauthentication of the mobile IP node at an HLR 37 (Home LocationRegister) and/or VLR 37 (Visitor Location Register) of a GSM network, bymeans of SIM user database 34 and SIM gateway module 32, based on theIMSI of the SIM card 201 of the mobile node 20. The SS7telecommunications protocol of the ITU is characterized by so-calledhigh-speed circuit switching with out-of-band signaling, whereby ServiceSwitching Points (SSPs), Signal Transfer Points (STPs), and ServiceControl Points (SCPs) (also frequently designated together as SS7 nodes)are used. Out-of-band signaling is a signal transmission for which notthe same data channels are used as for data transmission or voicetransmission. For this purpose a separate digital channel (signalchannel) is generated, via which signals can be transmitted between twonetwork components typically at 56 or 64 kilobits per second. The SS7architecture is conceived such that each network component (node) canexchange signals with any other SS7-capable node, and not merelyswitches which are directly connected to one another.

As illustrated in FIG. 5, the authentication of the mobile IP node 20can be performed by means of the Extensible Authentication Protocol(EAP). The following challenge-response method can be adopted, forexample, for the EAP-based method for authentication of a user and forallocation of session keys to the user by means of the GSM SubscriberIdentity Module (SIM). The authentication algorithm of the SIM card isgiven, as a challenge (question), a 128 bit random number (RAND). Aconfidential algorithm, specific to the respective operator, then runson the SIM card that receives as input the random number RAND and asecret key Ki, stored on the SIM card, and generates therefrom a 32-bitresponse (SRES) and a 64-bit key Kc. Kc serves to encode the datatransfer via wireless interfaces (GSM Technical Specification GSM 03.20(ETS 300 534): “Digital cellular telecommunication system (Phase 2);Security related network functions,” European TelecommunicationsStandards Institute, August 1997). For authentication several RANDchallenges are used to generate several 64 bit Kc keys. These Kc keysare combined to a longer Session Key. FIG. 4 shows schematically theset-up between the mobile IP node 20, the access point 21 and the accessserver 23 in an IEEE 802.1x port-based authentication method, the mobileIP node 20 (remote access client/supplicant) being authenticated via theaccess point 21 (authenticator) at the access server 23 (authenticationserver). The WLAN in this embodiment example is based on IEEE 802.11. Inorder to perform the GSM authentication, the SIM gateway module 32functions as a gateway between Internet Authentication Service (IAS)server network and the GSM authentication infrastructure, i.e. theaccess point 21/22 or respectively the access server 23 and the HLR 37or respectively the VLR 37. At the start of the EAP/SIM authentication,the access server 23 requests with a first EAP request 1 through theaccess point 21/22 from the mobile IP node 20, among other things, theInternational Mobile Subscriber Identity (IMSI) of the user. This istransmitted by the mobile IP node via EAP response 2 to the access Point21/22. Upon a triplet request from the respective HLR 37, orrespectively named VLR 37, the access server 23 receives, with the IMSI,n GSM triplets. Based on the triplets, the access server 23 is able toreceive a message authentication code for n* RAND and a lifespan for thekey (together MAC_RAND) as well as a session key. In a 3^(rd) EAP step 3(FIG. 5) the access server 23 then sends, for example, an EAP request oftype 18 (SIM) to the mobile IP node 20, and receives the correspondingEAP response 4. EAP data packets of SIM type additionally have a specialsubtype field. The first EAP request/SIM is of subtype 1 (start). Thispacket contains a list of the EAP/SIM protocol version numbers which aresupported by the access server 23. The EAP response/SIM (start) 4 (FIG.5) of the mobile IP node 20 receives the version number selected by themobile IP node 20. The mobile IP node 20 must select a version numberspecified in the EAP request. The EAP response/SIM (start) of the mobileIP node 20 also contains a lifespan suggestion for the key and a randomnumber NONCE_MT, which has been generated by the mobile IP node. All thesubsequent EAP requests all contain the same version as the EAPresponse/SIM (start) data packet of the mobile IP node 20. As mentioned,to perform the GSM authentication, this embodiment variant possesses aSIM gateway module 32, that serves as a gateway between the accessserver 23 and the HLR 37 or respectively the VLR 37. After receipt ofthe EAP response/SIM, the access server 23 receives an n GSM tripletfrom the HLR/VLR 37 of the GSM network. From the triplets the accessserver 23 calculates MAC_RAND and the session key K. The calculation ofthe cryptographic values of the SIM-generated session key K and of themessage authentication codes MAC-Rand and MAC_SRES can be learned, forinstance, from the document “HMAC: Keyed-Hashing for MessageAuthentication” by H. Krawczyk, M. Bellar and R. Canetti (RFC2104,February 1997). The next EAP request 5 (FIG. 5) of the access server 23is of type SIM and subtype challenge. The request 5 contains the RANDchallenges, the lifespan of the key determined by the access server 23,a message authentication code for the challenges and the lifespan(MAC_RAND). After receipt of the EAP request/SIM (challenge) 5, the GSMauthentication algorithm 6 runs on the SIM card, and calculates a copyof MAC_RAND. The mobile IP node 20 checks that the calculated value ofMAC_RAND is equal to the received value of MAC_RAND. If there is not acorrespondence between the two values, the mobile IP node 20 aborts theauthentication method and does not forward any of the authenticationvalues calculated by the SIM card to the network. Since the RAND valueis received together with the message authentication code MAC_RAND, themobile IP node 20 can ensure that the RAND is new and was generated bythe GSM network. If all checks have been correct, the mobile IP node 20sends an EAP response/SIM (challenge) 7, which contains as an answer theMAC_SRES of the mobile IP nodes 20. The access server 23 checks that theMAC_RES is correct, and finally sends an EAP success data packet 8 (FIG.5), which shows the mobile IP node 20 that the authentication wassuccessful. The access server 23 can additionally send the receivedsession key with the authentication report (EAP success) to the accesspoint 21/22. With a successful authentication, a location update iscarried out at the HLR 37 and/or VLR 37, and the mobile IP node 20receives a corresponding entry in a customer database of the accessserver, the WLAN being released for use by the mobile IP node 20. As wasmentioned, this has the advantage, among other things, that a seamlessroaming between different and heterogeneous WLANs becomes possible.Through the combination of WLAN technology, especially of the IPnetworks, with GSM technology, roaming of the user becomes possiblewithout his/her having bother about registration, billing, serviceauthorization, etc., at the respective WLAN service providers, i.e. theuser enjoys the same convenience as he/she is accustomed to from mobileradio technology such as, for example, GSM. At the same time it ispossible in a completely new way to combine the advantages of the openIP world (access to the worldwide Internet etc.) with the advantages ofthe GSM standard (security, billing, service authorization, etc.). Theinvention also makes it possible to create a method for roaming in WLANswithout a corresponding module having to be installed in each accessserver. On the contrary, by using RADIUS, the infrastructure (WLAN/GSM)can be taken over unchanged.

FIG. 2 and FIG. 3 show schematically in a block diagram a method andsystem according to the invention, how the open IP world 57 are <sic.is> connected to the more restrictive GSM world 58 via the interfacesfor the authentication 371, SS7 372, service authorization 531 andbilling 532. The reference number 38 thereby indicates different mobileradio network service providers with assigned HLR/VLR 37. As anembodiment variant, it is conceivable for the data stream of the mobileIP node 20 during access to the WLAN from the access point 21/22 to bedirected via the mobile radio network service provider 38. This allowsthe mobile radio network service provider 38 to grant, based on theauthentication by means of the IMSI, user-specific service authorizationfor user of different services and/or to carry out user-specific billingof the service obtained. The service authorization could be carried out,however, e.g. directly at the access point 21/22 by means of a module214. Furthermore, in the case of FIG. 2, mobile IP nodes 20 areconnected to an SIM card 201 via an interface having contacts, andaccess a WLAN by means of a wireless connection 48. The WLAN isconnected via an access server 23 to a GSM mobile radio network, inparticular to an HLR 37 and/or VLR 37, to a GGSN (Gateway GPRS SupportNode) 50 via a GRX module 51 (GRX: GPRS Roaming eXchange), an Internetservice provider 52 and to a clearing system 53 for the billing of theservices obtained.

It is to be mentioned that, in an embodiment example extended from theabove-mentioned embodiment example, during the authentication, the SIMuser database 34 is connected to a sync module 35 and a sync database 36for changing or deleting existing user datasets or inserting new userdatasets, the comparison of the databases 34/36 being performedperiodically and/or initiated through changes in the sync database 36and/or through failure of the SIM user database 34. The sync module 35and the sync database 36 can be achieved, like the other componentsaccording to the invention, through hardware or through software asdiscrete network components, e.g. as discrete IP node and/or GSMcomponents, or assigned to another system component and/or integratedinto another system component. With this embodiment variant, the mobileradio network service providers 38 can proceed in changing or deletingexisting user datasets or in inserting new user datasets in the same wayas before with their user databases, i.e. without having to purchase ormaintain additional systems.

FIG. 6 shows a block diagram illustrating schematically the structurefor a recording and billing of services (billing and accounting) in themixed environment of GSM networks 63/64 and/or fixed networks (PSTN)61/62 according to the state of the art. On the other hand, FIG. 7 showsschematically in a block diagram the structure for a recording andbilling of services (billing and accounting) between GSM home networkservice providers 80 and GSM foreign network service providers 81according to the state of the art, likewise using the TAP protocol.Known in the state of the art for the billing and accounting of theservice obtained by mobile units in GSM networks is the so-called TAPprotocol (TAP: Transferred Account Procedure) of the Transferred AccountData Interchange Group (TADIG) of the GSM Association. In FIG. 6, thereference numerals 61 and 62 represent fixed network service providers(PSTN/ISDN). The reference numeral 70 is the normal billing andaccounting of fixed network calls among fixed network service providersof the state of the art. The reference numeral 71 is the billing andaccounting between different GSM mobile radio network service providers63/64 by means of TAP protocol. The reference numeral 72 is thementioned wholesale billing, while the reference numeral 73 representscorrespondingly retail billing. The reference numerals 65/66 stand forGSM service providers. The users 57/58 are thus billed either by meansof wholesale billing 72 via a service provider 65/66 or directly bymeans of retail billing 72 by the GSM mobile radio network serviceproviders 63/64. FIG. 7 shows a possible exchange of data between twonetwork operators 80/81 based on TAP. Details 813 of a call by a user90, who is located in a foreign network (VPLMN: Visited PublicLand-based Mobile Network) 81/902, is <sic. are> registered in a MobileSwitching Center (MSC) 812 of the network 81. Each call thus generatesone or more call records 813.

The GSM standard for these records is defined in GSM 12.05, althoughmany providers use their own formats. The call records 813 of the MSC812 are transmitted to a billing system 811 of the VPLMN 81 for billing.These call records 813 are then converted into TAP format 814, andassigned to the respective user 90. At the latest within 36 hours theTAP records 814 are sent to the respective mobile radio network serviceprovider 801 of the home network 80. The TAP files 814 containadditionally information relating to the provider service tariff (IOT:Inter Operator Tariff) and all further bilateral agreements andprivilege or discount schemes. The TAP records are sent directly or morecommonly via a billing point such as e.g. a clearing house. If the homenetwork operator (HPMN: Home Public Mobile Network) 801 receives a TAPrecord 814 from the VPLMN 811, this is converted into a correspondinginternal formal 802, and is billed together with the normal call recordsof the user 90 which he generates in the home network 80. In the case ofwholesale billing, in which a service provider 82 bills 901 the costsarising to the user 90, the HPMN 801 passes on the records 802 to theservice provider 82, who can then re-bill the calls, in particularaccording to own tariffs, and who generates 821 the statement ofaccounts 83 with e.g. call details for the user 90. With this method theuser 90 is consequently always billed 901 via the HPMN 801.

FIG. 8 shows a method and system according to the invention forrecording and billing of services during roaming of a mobile IP node 20in heterogeneous WLANs <whereby> the mobile IP node 20 accesses anaccess point 21/22 of a WLAN within a basic service area of a WLAN via awireless interface. The basic service area of the WLAN includes one ormore access points 21/22 assigned to an access server 23/1001. Via therespective access point 21/22, the mobile IP node 20 transmits to theaccess server 23/1001, upon request of the access server 23/1001, anIMSI stored on an SIM card 201 of the mobile IP node 20. The IMSI of theIP node 20 is stored in a database 31 of an SIM-RADIUS module 30. Bymeans of an SIM user database 34 and an SIM gateway module 32, anSIM-RADIUS module 30 supplements user-specifically the logical IP datachannel of the WLAN towards corresponding GSM data for signal and datachannels of a GSM network. Over the supplemented signal and datachannels, an authentication and/or service authorization of the mobileIP node 20 is carried out at an HLR 37 and/or VLR 37 of a GSM network,based on the IMSI of the SIM card 201 of the mobile node 20, asdescribed in FIGS. 1, 2 and 3. For the billing and accounting, a billingmodule 1003 accesses the access server 23/1001 by means of abilling-gateway interface 1031. Via the billing gateway interface 1031,first call detail records of the mobile IP node 20 are transmitted 1011from the access server 23/1001 to the billing module 1003. The billingmodule 1003 possesses an assigned software and/or hardware-achievedmodule, by means of which it can obtain from the access server 23/1001CDR files via the billing gateway interface 1031, and transmit them tothe billing module 1003 and/or to the proxy module 1002. The downloadcan take place periodically, such as e.g. daily, and/or upon request ofan access server 23/1001 and/or of the billing module 1003 and/or of theproxy module 1002. Such a first call detail record can be designated inthe billing module 1003 e.g. with a correspondingly defined fileapplication identifier. A first call detail record can contain e.g.SIM-based authentication information. The SIM-based authenticationinformation can be, among other things, a hotspot ID, a file number forthe sequence of the files obtained as well as include a so-calledtransfer cut-off time stamp (such as defined e.g. in GSM PRD TD.57). Toenable simple access to the access server, the CDRs can be stored on anaccess server e.g. in three different directories. For instance, adirectory with open files, i.e. files which will still be changed, adirectory with files which are in fact closed (i.e. are no longerchanged), but are marked as not to be sent, and finally a directory withfiles which are closed and are ready to be sent. The billing gatewayinterface 1031 includes an assigned billing management database 1032with the configuration profile of each access server 23/1001. This meansthat the billing module 23/1001 can obtain from the billing managementdatabase 1032 the communication profile for a desired access server23/1001 of a hot spot. The billing management database 1032 contains allessential profiles and operational configurations which are required fordata exchange and operation with the GSM service providers 1006, WLANservice providers and hotspots. The billing management database 1032 caninclude in particular e.g. IP addresses and/or GSM identification of theusers and/or service providers. Based on, among other things,information from the billing management database 1032, the CDR (IPaddresses, etc.), TAP files (PMN codes (Public Mobile Network TAPidentifier code), IOTs), billing instructions for the WLAN serviceproviders (amounts, etc.) and hotspot authorization for GSM serviceproviders (signaling, etc.) are created, among other things. Conceivableas an embodiment variant is, in particular, an automated update methodfor the billing management database by means of a signaling gatewaymodule. Such an update method would enable a consistent and currentauthentication and authorization of the billing module 1003 with thevarious access servers 1001. Furthermore second call detail records ofthe mobile IP node 20 are transmitted 1010 to a proxy module 1002, theproxy module 1002 capturing at least the identity of the mobile IP node20 and/or duration and/or provider of the service obtained, and passingit on 1012 to the billing module 1003. The download can take place bymeans of the mentioned module achieved through software and/or hardware,which module can obtain CDR files from the access server 23/1001 via thebilling gateway interface 1031 and transmit them to the billing module1003 and/or the proxy module 1002. The download can take placeperiodically, such as e.g. daily, and/or upon request of an accessserver 23/1001 and/or of the proxy module 1002 and/or of the billingmodule 1003. The second call detail records can be created e.g. based atleast on the IP address of the mobile IP node and identifications of theservice providers, whose service was obtained by the mobile node. Thismeans that the first call detail records of the mobile IP node, whichare transmitted from the access server to the billing module, arecreated SIM-based, among other things, while the second call detailrecords, which are transmitted from the access server to the proxymodule, are IP-based, such as e.g. on RADIUS information. Data from thesecond CDR are required, among other things, for the billing andclearing of the services of the users and of the WLAN service providers.The billing module 1003 generates TAP files 1014 corresponding to theservice obtained, and transmits these together with billing instructions1013 to a clearing module 1004. This means that the incomingIMSI-authenticated CDRs are each converted into TAP format. The TAPfiles can also be created e.g. based on Inter Operator Tariffs as wellas Public Mobile Network TAP identification codes. In combinationtherewith, or as an independent embodiment variant, it is likewiseconceivable, for example, for the billing management database to includeInter Operator Tariffs as well as Public Mobile Network TAPidentification codes. The billing instructions 1013 include at leastuser-specific and/or service-provider-specific billing data. Theclearing module 1004 can bill 1016 the service obtained by the user 1008to a provider 1008 of a fixed network 1007 and/or transmit the TAP files1017 to a GSM 1005 service provider 1006 for billing. It is to bementioned that all modules and/or network components according to theinvention can be achieved through hardware as well as also throughsoftware. Also during access of the WLAN from the access point 21/22 thedata stream of the mobile IP node 20 can be directed via a mobile radionetwork service provider. The mobile radio network service provider canthereby obtain complete control over the data flow of the user. In thisway he can also for the IP world specifically give serviceauthorizations, carry out detailed billing and incorporate securitymechanisms. Among other things he can thereby combine the open,difficult-to-control IP world, including the Internet, for example, withthe advantages of the GSM world. This plays a big role, e.g. withrespect to liability issues of the provider or service vendor,especially recently.

1. Computer-aided method for recording and billing of services duringroaming of a mobile IP node in heterogeneous WLANs, comprising:accessing, via a mobile IP node, an access point of a WLAN within abasic service area of the WLAN by a wireless interface, the basicservice area of the WLAN including one or more access points assigned toan access server; receiving, by the mobile IP node, a request from theaccess server to transmit to the access server an IMSI stored on a SIMcard of the mobile IP node, the IMSI of the mobile IP node being storedin a database of a SIM-RADIUS module; transmitting, from the mobile IPnode the IMSI stored on the SIM card of the mobile IP node, to a SIMuser database and a SIM gateway allowing the SIM-RADIUS module tosupplement a user specified logical IP data channel of the WLAN towardcorresponding GSM data for signal and data channels of a GSM network, atleast one of an authentication or service authorization of the mobile IPnode being carried out at one of an HLR or a VLR of the GSM networkbased on the IMSI of the SIM card of the mobile IP node; employing abilling gateway interface to enable a billing module to access theaccess server, the billing module receiving a first call detail recordof the mobile IP node transmitted from the access server, the billinggateway interface including an assigned billing management database witha configuration profile for each access server; transmitting, to a proxymodule, a second call detail record of the mobile IP node, the proxymodule capturing data relating to at least one of an identity of themobile IP node, a duration of the obtained service, or a provider of theobtained service; transferring, from the proxy module to the billingmodule, the captured data; generating, in the billing module, TAP filescorresponding to service obtained by the mobile IP node based on thetransferred captured data from the proxy module and the first calldetail record; transmitting the generated TAP files, together withbilling instructions, from the billing module to a clearing module, thebilling instructions including at least one of user-specific orservice-provider-specific billing data, the clearing module at least oneof billing the service obtained by the user to a provider of a fixednetwork or transmitting the TAP files to a GSM service provider forbilling.
 2. Computer-aided method according to claim 1, wherein thefirst call detail record is created based at least on the IP address ofthe mobile IP node and identification of the service provider whoseservice was obtained by the mobile IP node.
 3. Computer-aided methodaccording to claim 1, wherein a data stream of the mobile node, whenaccessing the WLAN from the access point, is directed by a mobile radionetwork service provider.
 4. Computer-aided method according to claim 1,wherein the TAP files are created based on at least one of InterOperator Tariffs and Public Mobile Network TAP identification codes. 5.Computer-aided method according to claim 1, wherein the billinginstructions are retrieved from a billing management database includingat least one of IP addresses or GSM identification of at least one ofthe users or service providers.
 6. Computer-aided method according toclaim 5, wherein the billing management database includes at least oneof Inter Operator Tariffs and Public Mobile Network TAP identificationcodes.
 7. Computer-aided method according to claim 1, wherein the firstcall detail record of the mobile IP node is transmitted from the accessserver to the billing module, the first call detail record beingSIM-based, and the second call detail record is transmitted from theaccess server to the proxy module, the second call detail record beingIP-based.
 8. System for recording and billing services during roaming ofa mobile IP node in heterogeneous WLANs, comprising: at least one WLANwith a basic service area in each case, which basic service area of theWLAN at least one access point assigned to an access server, the atleast one access point including a wireless interface for communicationwith at least one mobile IP node; at least one mobile IP node includinga SIM card for storing an IMSI; at least one access server comprising: aSIM-RADIUS module; a SIM user database, and a SIM gateway module foruser-specific supplementation of a logical IP data channel of the WLANtoward corresponding GSM data for signal and data channels of a GSMnetwork, at least one of authentication or service authorization of themobile IP node being carried out at one of an HLR or a VLR of the GSMnetwork, based on the IMSI of the SIM card of the mobile node; a billingmodule with a billing gateway interface for access to multiple accessservers, at least one first call detail record of the mobile IP nodebeing receivable by the billing module, and the billing gatewayinterface including a billing management database with configurations ofindividual access servers; and a proxy module for downloading a secondcall detail record of the mobile IP node from the at least one accessserver, the proxy module capturing at least one of an identity of themobile IP node a duration of the obtained service, and a provider of theobtained service to be passed on to the billing module, wherein thebilling module generates TAP files corresponding to service obtained bythe mobile IP node based on the captured data, the TAP files beingtransmittable, together with billing instructions, to a clearing module,the billing instructions including at least one of user-specific orservice-provider-specific billing data.
 9. System according to claim 8,wherein, in the access server, the second call detail record is createdbased at least on an IP address of the mobile IP node and identificationof the service provider whose service was obtained by the mobile IPnode.
 10. System according to claim 8, wherein a data stream of themobile IP node during access to the WLAN from the access point isdirected by a mobile radio network service provider.
 11. Systemaccording to claim 8, wherein the TAP files include information relatingto at least one of Inter Operator Tariffs and Public Mobile Network TAPidentification codes.
 12. System according to claims 8, wherein thebilling management database includes at least one of IP addresses or GSMidentification of at least one of the users or service providers. 13.System according to claim 8, wherein the billing management databaseincludes at least one of Inter Operator Tariffs and Public MobileNetwork TAP identification codes.
 14. System according to claim 8,wherein the first call detail record of the mobile IP node istransmitted to the billing module, the first call detail record beingSIM-based, and the second call detail record is transmitted to the proxymodule, the second call detail record being IP-based.